[jboss-user] [Security & JAAS/JBoss] - Q about login config

kabhishek30 do-not-reply at jboss.com
Mon Oct 9 14:46:57 EDT 2006


Q1:
I have an application that I am able to deploy and run on JBoss app server. I use a custom LoginModule for authenticating users into this application. The LoginModule is configured in <jboss_server_path>/conf/login-config.xml as:

<application-policy name="gsnx.security.Login">
				
					<login-module code="com.gsnx.core.server.security.LdapLoginModule" flag="required">
			<module-option name="initial-context-factory">com.sun.jndi.ldap.LdapCtxFactory
			</module-option>
			<module-option name="user-password-changepw-gsnx-handler">com.gsnx.core.server.security.LdapLoginModule
			</module-option>
			<module-option name="ldap-url">ldap://127.0.0.1:389</module-option>
			<module-option name="connection-username">cn=Manager,dc=gsnx,dc=com</module-option>
			<module-option name="connection-password">changeme</module-option>
			<module-option name="connection-protocol">ldap</module-option>
			<module-option name="authentication">simple</module-option>
			<module-option name="user-search-base">dc=gsnx,dc=com</module-option>
			<module-option name="user-search-pattern">cn={0}</module-option>
			<module-option name="user-search-scope-subtree">true</module-option>
			<module-option name="user-password-attribute"/>
			<module-option name="role-search-base"/>
			<module-option name="role-name-attribute"/>
			<module-option name="role-search-pattern"/>
			<module-option name="role-search-scope-subtree"/>
			<module-option name="user-role-attribute"/>
				
			</login-module>

				
			</application-policy>

As can be seen the custom loginModule contacts an LDAP server for authentication. All this works fine as long as I can edit the conf/login-config.xml file in my JBoss app server configuration to include my custom loginModule. 

Now, for certain organizational reasons, I do not want to edit the conf/login-config.xml file in JBoss app server's path. So my Q is, is there a  way I can configure my custom LoginModule without ever needing to edit the conf/login-config.xml in Jboss's path? Can I somehow provide an additional login-config.xml inside my application's path? Or is there some other way to configure the custom LoginModule so that the configuration remains completely inside the application and does not affect any of the default configuration files for the JBoss app server? 


Q2:
Another issue related to the above situation is that I have an external Java RMI program that uses the same custom LoginModule as above for authentication. The loginModule is configured for this external RMI program in a login.config file that is in the classpath in the following way:

gsnx.security.Login 
{
  com.gsnx.core.server.security.LdapLoginModule required 
      initial-context-factory="com.sun.jndi.ldap.LdapCtxFactory"
      ldap-url="ldap://devwrk65.dev.e2open.com:389"
      connection-username="cn=Manager,dc=gsnx,dc=com"
      connection-password="slapface"
      connection-protocol="ldap"
      authentication="simple"
      user-search-base="dc=gsnx,dc=com"
      user-search-pattern="cn={0}"
      user-search-scope-subtree="true"
      user-password-changepw-gsnx-handler="com.gsnx.core.server.security.LdapLoginModule"
      user-password-attribute="userPassword"
      role-search-base=""
      role-name-attribute=""
      role-search-pattern=""
      role-search-scope-subtree=""
      user-role-attribute="";
};

Additionally, an entry is added to <JAVA_HOME>/jre/lib/security/java.security file:

login.config.url.1=file\:C\:/gsnxst/deploy/conf/login.config

Basically, the entry in java.security points to the login.config that has the configuration for the custom LoginModule. Once again, this works fine as long as I can edit the java.security file in JAVA_HOME. But, again for organizational reasons, I do not want to edit the JAVA_HOME java installation files. Is there another way to configure my custom LoginModule for java so that I do not have to physically mess around with the Java configuration. There could be other Java programs, running on the same machine, and I don't want them affected by my login.config setting. Is there another alternative way to configure the custom LoginModule for java?

Thanks and will appreciate all responses



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3977047#3977047

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3977047



More information about the jboss-user mailing list